IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 3.4)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 3.4.362

Release Date: 16 November 2021

Fixes

  • Fixes an issue where OpenIOC failed to detect files that contain multi-byte characters in FileName or FilePath.
  • Fixes an issue in the recorder where the SELinux policy could prevent the new Installed Applications sensor from executing.
  • Fixes an issue where a response action can result in failure rather than running the expected duration.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.

Tanium Threat Response 3.4.357

Release Date: 12 October 2021

Fixes

  • Fixes an issue where editing the visible Quick Links in the workbench resets values for Quick Links in other workbenches to their default values.
  • Fixes the verbosity of console.log to make problem resolution easier.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.

Tanium Threat Response 3.4.355

Release Date: 21 September 2021

Fixes

  • Fixes an issue with the recorder where 3rd party installations could hang when the Tanium client is running.
  • Fixes an issue where after using quick add to create a FileName or FilePath in addition to a FileHash IOC, no alerts are generated during Quick Scans.
  • Fixes an issue where upgrading to the latest version of Threat Response from Threat Response version 3.3.33 could cause the workbench to become unusable.
  • Fixed an issue where the intel database might not be generated after upgrading from early versions of Threat Response.
  • Fixed an issue where auto pruning of alerts could cause the Threat Response console to not be able to retrieve pages in the workbench.
  • Fixed an issue where Index exclusions may not apply correctly due to case sensitivity.
  • Fixes an issue where the Recorder process on Linux may continually increase in usage over time.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.

Tanium Threat Response 3.4.346

Release Date: 10 August 2021

Important Notes

  • Threat Response 3.4 now has the capability to auto-prune alerts that are in the “Unresolved” state. It will auto-prune alerts to the last 100,000 “Unresolved” alerts and any “Unresolved” alert older than 60 days. Alerts in the “In-Progress” or “Resolved” state will NOT be auto-deleted. This feature will be automatically turned on in TaaS, but will be disabled for on-premise installations. Contact your support service for details on how to enable this feature for on-premise customers.
  • IndexCX provides significant performance improvements for endpoints allowing for the efficient searching of hashes and file meta-data. These changes include a slow walk of the disk and high-priority paths where more frequent updates are required. Please see our online documentation for more details about the benefits and configuration of IndexCX.
  • Reputation now uses IndexCX to allow for the efficient searching of large numbers of hashes with minimal endpoint impact. For 3.4 this change means that malicious hashes found by reputation are now scanned upon intel deployment. You may want to adjust your intel deployment frequency to account for this.
  • If Tanium Reveal and Tanium Threat Response exist in the same environment, both solutions must be on a version that is running the same architecture of Tanium Index. Threat Response 3.4 and later must be installed in the same environment as Reveal 1.15 and later. Threat Response versions earlier than Threat Response 3.4 can be installed in the same environment as Reveal 1.14 and earlier.
  • Index-CX now uses new sensors that start with 'Index File ...' instead of 'Index File Query ...'. You will need to update any Saved Questions and Connect jobs (for example those used by Reputation) to these new sensors in order to maintain functionality with Index-CX.

Improvements

  • Alert Pruning - For TaaS customers alert auto pruning will occur. See Important Notes for details.
  • IndexCX - better performance and granular control
  • Reputation now uses IndexCX to allow for the efficient scanning for larger numbers of hashes.
  • Local Drive selection and visibility from Live File Browsing
  • Impact details are now included in alerts
  • Add proxy settings to Stream configuration via the UI
  • Ability to export all event related to a specific process
  • Added SRUM data collection via live response
  • Provide a summary of live response changes when generating packages
  • Include content to help remediate alert storms
  • Support TAXII feed from InSight
  • YARA 4.1 is supported and support for the following default modules is provided: pe, elf, dotnet, hash, cuckoo, math, and time. The default magic module is not supported.
  • Support for sending Windows Security events via Stream
  • Help text provided for creating suppression rules
  • THR Trends boards respect RBAC2 permissions
  • Implement persistent query filters
  • Saved Evidence dates will no longer be changed on upgrade
  • Square brackets are now allowed in Live Response names
  • A banner will now be displayed when the Threat Response license has expired
  • Health check remediation re-issue now issues correctly
  • Fixed issue where DB locks were not allowing Alert state changes
  • Detect will no longer try to parse all old quickscan files simultaneously.
  • Fixed issue with poor Alert grid performance on Intel pages
  • Column changes are now persisted when opening the Alert details drawer
  • Fixed issue where search for an Index exclusion will deselect all currently selected exclusions
  • Fixed issue where filter builder interpreted the work ‘and’ in a signal incorrectly
  • Updated PowerForensic Prefetch sensor description
  • Added pop-up text to enterprise-pivot icon
  • Fixed issue where clicking Alerts would cause page to temporarily disappear
  • Increased Live Connection initiation timeout
  • Fixed text display under Saved Evidence Page

Fixes

  • Quarantine config file now works with non-standard Tanium Client directories on Linux/Mac
  • Updated Reputation Intel Documents to allow for THR quick scanning
  • Improves TAXII feed http/https attempts
  • Fixed false positives in quick scans due to percent characters
  • Live Response now supports multiple environment variables
  • Improved suppressions matching for Linux group/user fields
  • Adds updates to the Mac Autoruns sensor
  • Helps ensure WAL files do not grow without bound on the module server
  • Quick scans now properly handle process signatures
  • Supports Azure blobs as a live response destination
  • Improves import of signals with group terms in the signal
  • Fixed viewing profiles with deleted computer groups
  • Fixed "Assign to workbench" action
  • Upgrading will no longer modify the date of saved evidence
  • Square brackets no longer cause errors in live response
  • Fixed license requirements for legacy licenses
  • Fixed remediation action reissue time
  • Fixed alert status changes
  • Remediation of orphaned quick scans
  • Improve alert page performance
  • Fixed data grid customizations
  • Fixed searching/selecting exclusions
  • Fixed signal filter builder that had an "AND" in the context
  • Corrected description of powerforensics prefetch sensor
  • Fixed display of text on saved evidence page
  • Remove PWC as an IOC provider
  • Quickscan for signal will no longer treat % as a wildcard
  • Fixed unicode character parsing in event service
  • Added ability to impact previous signals where the process terms are grouped
  • Image filters are now included in filter exports
  • Fixed an issue where moving a single intel to workbench would move all intel documents form that source

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.
  • Live connections to endpoints might disconnect when exporting events that are larger than 2 MB.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM

Product Documentation and Resources